Monthly Archives: April 2009

The Conficker worm has begun to update the machines it has infected with a new set of instructions to spread to other machines and then self-destruct, security experts say.

Security researchers tracking the worm said some of the infected computers began receiving instructions on April 7 from other infected machines. Conficker is able to send updates to computers it has infected either by directing the computers to visit websites or through a peer-to-peer network of infected machines.

Last week Conficker had computer and internet organizations worldwide up in arms against it because it was known that a variant of the worm would begin accelerating the speed with which it reached out to websites on April 1.

It was thought the worm might send out instructions that day, but instead it appears to have waited a week before doing so, and rather than sending the instructions through a website, it sent them over the peer-to-peer network.

The instructions tell the computers to attempt to contact other computers and exploit a vulnerability in older Microsoft Windows products — Windows 2000, Windows XP and Windows Server 2003 — that would allow the worm to take over the computer and expand its network of infected machines.

The instructions had appeared on previous versions of the worm but were removed in the Conficker C variant, leading security experts to believe the people behind the virus were trying to temporarily slow its growth to make it harder to track.

The new instructions also direct computers to visit established websites such as myspace.com, msn.com, ebay.com, cnn.com, and aol.com, but once there no code is downloaded or weaknesses are exploited, leading some firms to suggest the worm is simply checking to confirm the computer is connected with the internet.

The instructions also appear to have a time limit, Symantec reports. On May 3, 2009, the new instructions will not only stop running, but the worm will activate a self-removal program, although it’s not known when it does this whether it will leave behind some legacy of the worm or perhaps another, different worm.

Kevin Haley, director of Symantec Security Response, said the self-destruction instruction is unique, and may be the virus writer’s way of making it harder for users to track its progress.

“Conficker is the name on everybody’s lips right now, so if you remove the traces of Conficker but leave something else behind, users won’t know what to look for,” he said.

Symantec has speculated Conficker might be connected to another spam bot, called Waledac.

Conficker changed the way parts of the botnet communicated overnight, but little else of note has happened so far.

The malware is far from an April Fool’s joke, but it’s obviously a long way from the Skynet botnet, as depicted in Terminator 3, that some of the more fevered imaginings of the media hinted at. The main activity that accompanied the run-up to the activation date was the registration of dozens of new domain names designed to advertise rogue security packages in the guise of Conficker clean-up tools.

As widely predicted by security vendors beforehand, Conficker and its 1 April activation was more about hype rather than havoc. As F-Secure notes, worms with triggers have consistently failed to do anything on that date. Previous damp squibs include the Michelangelo virus (1992), CIH (1999), SoBig (2003), and MyDoom (2004).

Nonetheless, Conficker remains implanted on many computers, anywhere between 1-4 million, according to the latest estimates.

Conficker first began spreading in November, using a variety of techniques including the exploitation of a well-known Windows vulnerability. Once it secured a foothold on infected networks the worm is capable of spreading across network shares by exploiting weak password security. The malware is also capable of spreading using infected USB drives.

Early versions of Conficker called home to 250 different domain names every day to see if updates were available. From Wednesday, machines infected by the latest version of Conficker began to poll a sample of 500 out of 50,000 domains a day, making attempts to interfere with the update process more difficult. Most compromised machines are thought to be infected by the earlier B variant, whose behaviour has not changed.

Still earlier versions of the worm include peer-to-peer functionality, so that infected computers can communicate between themselves without the need for a server. This functionality might be used to pass around software updates or initiates malicious activity without the need for update servers. And the new call home routine of the latest variant of the worm is due to take place from now on, so that “sleeper” botnet could be unleashed at any future date.